1.1. The Legal Marketing Innovation Company t/a Business Stack (“Business Stack”, “we”, “our” or “us”) provide this notice to you because you are applying to work with us as an employee, worker or contractor.
1.2. This notice sets out the basis on which we will process your personal data. Please read it carefully to understand our practices regarding your personal data and how we will use it.
2. About us
2.1. Business Stack is the controller of the personal data of prospective employees, workers and contractors, and is subject to applicable data protection laws.
2.2. If you have any questions about this notice or your personal data, or wish to exercise any of your rights as described in this notice or under applicable data protection laws, you can contact email@example.com
3. What types of personal data are protected?
3.1. This notice applies to your “personal data”. This is any information relating to you as an identified or identifiable person.
‘Special categories of personal data’ (UK and EU countries) or ‘sensitive personal data’ in other countries
3.2. Within the broad range of information which can be personal data, the following are “special categories of personal data” which are subject to a greater degree of protection:
- physical or mental health;
- racial or ethnic origin;
- political opinions;
- trade union membership;
- religious beliefs;
- sexuality or sexual life; and
- genetic and biometric data.
3.3. In non-EU countries, other types of sensitive personal data can include:
- social status;
- criminal history;
- philosophical beliefs;
- membership of a professional or trade association;
- social security numbers;
- bank account information;
- financial data; and
- creditworthiness data.
Personal data we collect
4. What personal data we collect
Personal data you give us
4.1. You may give us personal data about you by filling in forms online, corresponding with us by phone, email, in person, or otherwise, or through a recruitment agency or other third party.
Personal data we collect from you
4.2. The personal data that we collect about you includes, but is not limited to, the following:
- your name;
- home address;
- contact details (such as telephone number and email address);
- date of birth;
- marital status;
- copies of your passport, driving license and similar documents (and personal data included in these documents);
- education history (including copies of relevant degrees, diplomas or certificates if required), training and professional experience;
- current and past employment details;
- immigration status and work permits;
- languages spoken and level of proficiency; and
- other information given in your CV.
Special categories of personal data or sensitive personal data
4.3. Your personal data includes such ‘special categories of personal data’ or ‘sensitive personal data’ (see the description provided above) as you and any third parties (for example, medical professionals) provide to us.
5. Personal data provided by third parties
5.1. We also collect Information from external sources, such as those that are commercially available to us.
5.2. Some of the personal data we collect (as described in Section 4), and additional information, may be provided to us by recruitment agencies with whom you have registered an interest. Such recruitment agencies support our recruitment processes under a duty of confidentiality.
5.3. Where allowed by law:
- during the recruitment process we may also research information regarding your skills, experience or qualifications and comments and opinions made public on social networking sites such as LinkedIn, Facebook, Instagram and Twitter; and
- we may also receive other personal data about you from organizations such as third-party background screening providers, credit reference agencies, fraud prevention agencies, sanction screening, criminal convictions screening and referees.
6. Data relating to criminal convictions and offenses
Where required and allowed by law, we also collect and store personal data relating to criminal convictions and offenses. We only collect such personal data if you have given your explicit consent. This data is only processed where it is necessary for the purposes of:
- complying with or assisting other persons to comply with a regulatory requirement which involves Business Stack taking steps to establish whether you have committed an unlawful act or been involved in dishonesty, malpractice or other seriously improper conduct;
- preventing or detecting unlawful acts (including fraud);
- any legal proceedings (including prospective legal proceedings);
- obtaining legal advice; or
- establishing, exercising or defending legal rights.
How we use your personal data
7. What we do with your personal data and our legal basis
7.1. We process your personal data (other than ‘special categories of personal data’ or ‘sensitive personal data’) for the reasons listed below. The legal justification for our processing is, in each case, one or more of the following purposes (specific examples are given for each).
7.2. Please note that the lists of processing activities included in this section are not exhaustive. They are illustrative of the different types of processing that we may undertake. Please contact Business Stack’s DPO if you have a question about whether we process your personal data for a specific purpose not listed in this section.
Where we have a legal or regulatory obligation
7.3. Local laws and certain regulations require us to process personal data to comply with our legal or regulatory obligations. To do so, we process your personal data for the following purposes, for example:
- preventing illegal working;
- complying with health and safety obligations;
- ensuring the safety and security of our systems;
- carrying out equal opportunities monitoring;
- responding to government statistical monitoring;
- assessing fitness and propriety of individuals for the purpose of relevant regulatory schemes to which we must adhere;
- liaising with relevant tax authorities and other government entities or agencies in relation to attachments of earnings and similar deductions;
- providing references; and
- communications with public or regulatory bodies.
Where we have a legitimate interest
7.4. Data protection law allows us to process personal data where it is necessary for the purposes of our legitimate interests as a business. We consider it to be in our legitimate interests to process personal data for the following purposes, for example:
- recruitment processes (including negotiation and communicating with you in relation to your application);
- considering your suitability for employment/work, taking up references, and conducting appropriate checks;
- dealing with any legal disputes involving you or other prospective, current or former employees, workers or contractors;
- contacting former employers for work related or reference related reasons;
- keeping our IT system safe and secure; and
- reporting to government entities.
‘Special categories of personal data’ or ‘sensitive personal data’
7.5. We process ‘special categories of personal data’ or ‘sensitive personal data’ for the purposes of:
- carrying out the obligations we have to exercise both Business Stack’s and your specific rights which are imposed by employment laws, including, where it is in the public interest, monitoring equality opportunities, assessing suitability for particular jobs and to consider whether adjustments may need to be made to accommodate an individual with a disability;
- establishing, bringing or defending legal claims; and
- in the case of personal data about your physical or mental health, to enable Business Stack to assess your working capacity and take decisions for occupational health purposes.
8. Disclosure of your personal data to third parties
8.1. For the purposes set out in Section 7 above, we share your personal data with:
- our group companies;
- professional advisors (including lawyers, accountants and auditors);
- legal and regulatory authorities; and
- taxation authorities.
8.2. We also share your personal data with other parties which provide products or services to Business Stack (for example, our talent management platform, Google Suite, our benefits providers):
- to comply with our overriding legal and regulatory obligations to you;
- to ensure that we comply with any contract that we enter into with you; and
- where we have a legitimate interest in doing so.
8.4. As part of the reporting requirements, we are obliged to provide your personal data either directly to our regulators or to regulators through accredited third parties. We only provide this information where it is necessary for compliance with our legal obligations.
8.5. We also disclose your personal data to third parties where it is in our legitimate interest to do so, including for the following reasons:
- in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets; or
- if all or substantially all of our assets are acquired by a third party, in which case personal data held by about our applicants will be one of the transferred assets;
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation.
8.6. Except for as set out in this notice, or as required by law, we do not sell your personal data or disclose it to any third parties without your consent.
9. Security of your personal data
9.1. We are committed to ensuring that your personal data is safe and take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this notice.
9.2. Business Stack stores all personal data you provide to us electronically on our secure servers within the the United Kingdom, or the European Union.
9.3. Unfortunately, the transmission of personal data through the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted to or stored on our IT system, and any transmission is at your own risk. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorized access.
10. How long we keep your personal data
We will keep your personal data for as long as necessary to fulfill the purposes described in this notice or in the terms of any contract that we enter into or for as long as we are required by law or in order to comply with a regulatory obligation. After this, where allowed by laws and this notice, we will erase your personal data.
11. Your rights
Access to your personal data and updating your personal data
11.1. Subject to applicable laws in your location, you may have the right to access personal data which we hold about you. If you so request, we shall provide you with a copy of your personal data which we are processing and hold about you. For any further copies which you may request, we may charge a reasonable fee based on administrative costs.
11.2. In limited circumstances, you also have the right to receive your personal data in a structured and commonly used format so that it can be transferred to another controller.
11.3. We want to make sure that your personal data is accurate and up to date. You may ask us to correct or remove personal data which you think is inaccurate.
Right to object to processing in certain circumstances
11.4. Subject to applicable laws in your location, you may also have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on our legitimate interests. Where you object on this ground, we will no longer process your personal data unless:
- processing is nevertheless necessary for the performance of a contract that you enter into with us;
- processing is necessary for the establishment, exercise or defense of legal claims;
- we have a legal or regulatory obligation for which the processing of your personal data is necessary; or
- we can demonstrate that our legitimate interest is sufficiently compelling to override your fundamental rights and freedoms.
Your other rights
11.5. Subject to applicable laws in your location, you may also have the right to request that we rectify your personal data if it is inaccurate or incomplete.
11.6. In certain limited circumstances, you may have the right to request the erasure of your personal data.
11.7. Where we rely on your consent to process personal data, you may withdraw this consent at any time. Please note that any such withdrawal will not affect the validity of personal data we processed before you withdraw your consent.
12. Exercising your rights
12.1. You can exercise any of your rights as described in this notice and under data protection laws by contacting Business Stack’s Data Protection Officer through email at firstname.lastname@example.org
12.2. Unless set out in this notice or provided under data protection laws, there is no charge for the exercise of your legal rights. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either:
- charge a reasonable fee, taking into account the administrative costs of providing your personal data or taking the action requested; or
- refuse to act on the request.
12.3. Where we have reasonable doubts concerning the identity of the person making the request, we may request additional information necessary to confirm your identity.
12.4. We will endeavor to respond to your request within the time period mandated by applicable law. In the UK and EU, this means that we will endeavor to respond to your request within one month. Please note, however, that this time period may be extended by a further two months in some cases.
13. International transfers
13.1. Your personal data will be stored on servers located in the United Kingdom, or the European Union.
13.2. Where required by applicable laws, your consent to the transfer of your personal data outside your home country to the United Kingdom or European Union will be obtained as part of your application.
13.3. Regardless of where your personal data is transferred, we shall ensure that your personal data is safe and shall take all steps reasonably necessary to put in place appropriate safeguards to ensure that your personal data is treated securely and in accordance with this notice and applicable law. Details regarding these safeguards can be obtained from the Data Protection Officer whose details are given above.
14.1. Please direct any complaints about how Business Stack processes your personal data to our Data Protection Officer.
14.2. You also have the right to complain to your local data protection authority:
- a list of European Union data protection authorities can be found at this website; and
- the United Kingdom’s data protection authority’s contact details can be found at this website.
This notice may be amended by Business Stack at any time in our sole and absolute discretion. You can always find the latest version of this notice on our website.